Overview

overview

8

Static

static

5

ec4c22a803...a5.exe

windows7-x64

8

ec4c22a803...a5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    83s
  • max time network
    86s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec4c22a803ac608611df5b4fe38c6b4665a5d1fbc24d2bfeb4abfe655d7b9da5.exe

  • Size

    5.4MB

  • MD5

    711cd445a34c9892e76a82270ad46a24

  • SHA1

    e008839ab63d36226193f8d39677a210c42ae140

  • SHA256

    ec4c22a803ac608611df5b4fe38c6b4665a5d1fbc24d2bfeb4abfe655d7b9da5

  • SHA512

    3788121e4d151a1031fb6d00baa62241b2bc3e45f642f03ddf9e480093bc07eea9ef61f0264afb7f509383b844aa96cb0f0ab6929b2dc3fc70e616139afdd752

  • SSDEEP

    98304:p8sjk3hRWieWT0ywsagZ9VeXD3OKvRbgyNMY/HzrCU7vXGa:PjYhRPeWvnzwrOjy9//xTXf

Score
8/10
discoveryexploitpersistenceupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • NTFS ADS 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec4c22a803ac608611df5b4fe38c6b4665a5d1fbc24d2bfeb4abfe655d7b9da5.exe
    "C:\Users\Admin\AppData\Local\Temp\ec4c22a803ac608611df5b4fe38c6b4665a5d1fbc24d2bfeb4abfe655d7b9da5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
      C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c takeown /f C:\ldrscan\bootwin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\ldrscan\bootwin
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c takeown /f C:\ldrscan\bootwin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\ldrscan\bootwin
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:1812
      • C:\Windows\system32\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
        3⤵
          PID:1052
          • C:\Windows\System32\cscript.exe
            C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
            4⤵
              PID:1512
          • C:\Windows\system32\cmd.exe
            cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
            3⤵
              PID:1352
              • C:\Windows\System32\cscript.exe
                C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
                4⤵
                  PID:2400
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /A /C "compact /u \\?\Volume{367eaf83-3d79-11ef-ac21-806e6f6e6963}\AEGLM"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2916
                • C:\Windows\SysWOW64\compact.exe
                  compact /u \\?\Volume{367eaf83-3d79-11ef-ac21-806e6f6e6963}\AEGLM
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:2808
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3068
                • C:\bootsect.exe
                  C:\bootsect.exe /nt60 SYS /force
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2584
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c start regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1496
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
                3⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2840
            • C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
              C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\Users\Admin\AppData\Local\Temp\Activer.exe
                "C:\Users\Admin\AppData\Local\Temp\Activer.exe" "del" C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
                3⤵
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • NTFS ADS
                PID:1816

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Acer.XRM-MS
            Filesize

            2KB

            MD5

            f25832af6a684360950dbb15589de34a

            SHA1

            17ff1d21005c1695ae3dcbdc3435017c895fff5d

            SHA256

            266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

            SHA512

            e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\WindowsActiver.exe
            Filesize

            597KB

            MD5

            1f691ab8266ade4dffd908610d79b6be

            SHA1

            e437eb9d1d743cd84a00977396b2da643f08ae01

            SHA256

            24b216f2ef95aeab5d62c4e18f206b3d6873d40aa1ccfac676cff1a8f4987b30

            SHA512

            e5791868088ae81640bc8bf13f5aa9393d763fad0dfccee20e41dd7734c85cfceca775b787791cf57a4c5c3ee94fe0bffd4c709ee350386dea09a76524933599

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sfx.dll
            Filesize

            2.1MB

            MD5

            c310316d34abd7ea3bd9d07a384b2556

            SHA1

            0a40516fd899a78609254d05932cfbca45e70dae

            SHA256

            f67e22b28eddd3eb446314b9081059d2bed2402438e9205baf8ab366d19537f8

            SHA512

            b7e6103b30e4d6dae82564013e7b5ede33a08450695ec121f5fa987bc94b5c9c115404bc44a4178d50dbb62ca17bca0e1d3df35586efb12be77db7df8af9c6da

            Download Submit

          • C:\bootsect.exe
            Filesize

            95KB

            MD5

            1d2df077c770b31dec847d3a297a2f3f

            SHA1

            400ec72055841328a471335465046f7c593e3e1d

            SHA256

            6d3b210ef0077f39bbd5ec1ee6358d4d698035a3f0aa49432535994058fdcc2b

            SHA512

            cdaf0c3fe2ebb0fffb3e55d25e706f52fe94573b6e550b70f9a054af4f8625aa1cc5464a7d34aa325c3a003822294627e5c4b8049728d4aaa4bfb6ab9097ede8

            Download Submit

          • \??\Volume{367eaf83-3d79-11ef-ac21-806e6f6e6963}\AEGLM
            Filesize

            432KB

            MD5

            3948abf40c6cbe6391fa151903ae004e

            SHA1

            1d02996c24da007207c3580273874fc63c36ac3b

            SHA256

            54d6168f61e3397e8c3b6e4e16473be38ea6aee13e12f1a6c52ed8e0f16f19c1

            SHA512

            57664804794bd8cfd109c0bf04a304223f4deb737a6525715a6b476299078bb4dcf77a55790fa18d4b81b8edf78cc034653e8769e8de0da5616cf74f3583fa26

            Download Submit

          • \Users\Admin\AppData\Local\Temp\WindowsLoader.exe
            Filesize

            3.8MB

            MD5

            323c0fd51071400b51eedb1be90a8188

            SHA1

            0efc35935957c25193bbe9a83ab6caa25a487ada

            SHA256

            2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

            SHA512

            4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

            Download Submit

          • memory/1816-136-0x0000000000110000-0x000000000022F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1816-132-0x0000000000110000-0x000000000022F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1816-119-0x0000000000110000-0x000000000022F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1952-116-0x00000000008D0000-0x00000000009EF000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1952-113-0x0000000003F10000-0x000000000402F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1952-102-0x0000000003F10000-0x000000000402F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1952-112-0x0000000003F10000-0x000000000402F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1952-111-0x0000000003F10000-0x000000000402F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1952-93-0x00000000008D0000-0x00000000009EF000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2432-8-0x0000000002FE0000-0x0000000003203000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2432-91-0x0000000001020000-0x000000000113F000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2680-114-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2680-11-0x0000000000280000-0x0000000000293000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2680-19-0x00000000002A0000-0x00000000002B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2680-24-0x0000000000360000-0x0000000000372000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2680-32-0x0000000010000000-0x0000000010021000-memory.dmp

            Filesize

            132KB

            Download

          • memory/2680-40-0x0000000000380000-0x0000000000391000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2680-48-0x00000000002B0000-0x00000000002C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2680-56-0x00000000002D0000-0x00000000002E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2680-64-0x00000000003A0000-0x00000000003C0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2680-72-0x0000000002580000-0x0000000002723000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2680-164-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2840-95-0x0000000002260000-0x000000000247D000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2840-86-0x0000000002260000-0x000000000247D000-memory.dmp

            Filesize

            2.1MB

            Download